The ACC Warranty Group
Toll Free: 888.299.9888Are you unsure if and how your organization needs to comply with SOX in respect to outsourced business functions and processes?
By Susan Jendrey
___________________________________________________________________
While SOX has clear expectations for internal controls and the need for reporting material variances in real-time laid out (in Sections 404 and 409), nothing in the act itself specifically addresses compliance requirements for outsourced business and IT functions and processes.
What does this mean for the IT executive? If you are currently outsourcing or considering outsourcing, how will this affect your firm’s ability to comply with SOX? Since the original publication date of the Act, what standards have been written to outline compliance requirements when outsourcing to service organizations?
Deputy chief accountant Andrew Bailey and professional accounting fellow Nancy Salisbury, both with the U.S. Securities and Exchange Commission, outlined three publications to help clarify outsourcing and SOX compliance (see links at end of article).
According to Salisbury, the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2, Appendix B, paragraphs B18 - B29 also speak to what management needs to do. “If auditors have to do attest to certain standards, then management has to do at least that much.”
First, organizations need to ensure that their outsourced business and IT functions and processes comply with SOX Section 404 (Internal Controls). On March 9, 2004, in a very clear response, PCAOB (fondly referred to as peek-a-boo) issued a written statement, in which it noted, “The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting.”
___________________________________________________________________________
Second, on June 18, 2004, the SEC approved the PCAOB Auditing Standard No. 2, “An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” The standard addresses both the work required to audit internal control over financial reporting as well as the relationship of that audit to the audit of the financial statements. In this document, PCAOB states that Statement of Auditing Standards No. 70 (SAS 70), Service Organizations (AU section 324) applies to the audit of financial statements of a company that obtains services from another organization that are part of its information system.
A service organization’s services are part of a company’s information system if they affect any of the following:
The classes of transactions in the company’s operations that is significant to the company’s financial statements
The procedures, both automated and manual, by which the company’s transactions are initiated, authorized, recorded, processed, and reported from their incurrence to their inclusion in the financial statements
The related accounting records, whether electronic or manual, supporting information and specific accounts in the company’s financial statements involved in initiating, authorizing, and recording, processing, and reporting the company’s transactions
How the company’s information system captures other events and conditions that are significant to the financial statements
The financial reporting process used to prepare the company’s financial statements, including significant accounting estimates and disclosures Furthermore, Auditing Standard No. 2 indicates that evidence about the operating effectiveness of controls at a service organization can be obtained from a Type 2 SAS No. 70 report. The "Staff Questions and Answers" (see links below) outlines what to do if the report is issued more than six months prior to the date of management’s assessment. Lastly, the auditor of the service organization can be the same as the auditor of the user organization.
________________________________________________________________________
Even after reading the follow-up documentation provided by the SEC and PCAOB, some individuals will be disappointed that there is no specific checklist to ensure compliance. According to Lee Dittmar, principal with Deloitte Consulting LLP, “They will be missing the point. Section 404 is principle-based regulation, not rule-based. There could be more than one way to comply. Individuals need to apply sound business practices that best fit their company’s situation. And, they need to focus on the spirit not just the letter of the law.”
With respect to IT, Dittmar notes that “SOX presents four key categories of impact: (1) application-level controls, (2) general computer-level controls, (3) new functionality to support first-year compliance, and (4) changes and improvements to enable ongoing compliance.
"Management needs to take second and third looks at outsourcing arrangements and agreements. They cannot become complacent because they have obtained a piece of paper covering the first year. It will become critical to revisit terms and conditions of contracts with outsourcers through the lens of SOX.”
When asked how organizations are actually applying these guidelines, Deloitte national director of SAS 70 services Bruce Marcus replies, “Service organizations now have a heightened awareness that internal controls within their organization affect their customers [user organizations]. One of the ways [a] service organization [has] been able to demonstrate effectiveness of [its] internal controls is by issuing a SAS 70 Type 2 report.
_____________________________________________________________________
“During the audit process, if an outsourced process or function is deemed critical to financial controls or financial statements, we assess not only controls in the service organization but also complimentary controls in the user organization.”
Some organizations are finding that they need to supplement SAS 70 reports for Section 404 outsourcing compliance. Bruce Winters, a CPA and leader in the systems and process assurance practice at PricewaterhouseCoopers, adds, “Some organizations are sending in either their own internal auditors, their external auditors, or, in some cases, asking the service bureau to do additional testing. They want tests conducted specific to their company, not just a general assessment of the service provider.
“For example, organizations may want outsourcers to conduct tests specific to the servers and machines that their applications are run on. They want to know what problems they’ve had and how those problems are being tested. Additionally, organizations are looking at physical or logical security, segregation of duties (development separate from operations), and at specific applications outsourced to service providers.”
Keep in mind, Winters continues, that “SAS 70 was created for auditors. It provides guidelines for a service bureau audit so that other auditors can rely on it. (Imagine if all of ADP’s customers had to conduct a separate audit of ADP.) Very basic stuff is covered in SAS 70 audits. Not a lot of meat goes into those reports. Now that companies are relying on SAS 70 for Section 404 compliance, it’s becoming a different story.”
The bottom line: SAS 70 provides basic guidelines. Managers whose organizations outsource need to assure adequate financial controls assessment for relevant outsourced processes. Work with your auditors to determine if outsourced functions warrant SAS 70 Type 2 reports and/or additional, custom tests.
_________________________________________________________________________
Credits:
PCAOB Bylaws and Rules-Standards, Auditing Standard No. 2 -- An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, March 9, 2004, Appendix B, Paragraphs B18 through B29
PCAOB Staff Questions and Answers—Auditing Control over Financial Reporting, June 23, 2004, Questions 24 through 27
American Institute of Certified Public Accountants Professional Standards AU 324, Service Organizations
___________________________________________________________________________
**All state laws apply. Certain federal laws may also apply. Contact us for more info at info@accws.com
___________________________________________________________
___________________________________________________________
To obtain a free copy of any warranty by mail please send a request to: Warranty Requests at The Acc Warranty Group, 8888 Keystone Crossing, 13th Floor, Indianapolis Indiana 46260 stating your request along with your name and return address.
* This is an overview of coverage only - not an actual warranty.
** You must refer to the actual VSC vehicle service contract to obtain specific information about definitions; terms and conditions; coverages; benefits; claim instructions; exclusions; and special state requirements. We use the term "extended warranty" and "warranty"interchangeably with the term "vehicle service contract," variations thereof, or "VSC," throughout the web site.
Definitions are explained in this site under Magnuson-Moss.
___________________________________________________________
**All Quotes are non-binding and are based upon the accuracy of information you have provided.
**All applications are submitted to the administrator of the insurance company for verification and acceptance. ____________________________________________________________
**Pre-owned plans require an acceptable vehicle inspection report to be completed and accepted prior to a claim being honored and/or a 30 day and 1000 mile waiting period.
___________________________________________________________ RV extended warranty for motorhomes rv extended warranty motorhome extended warranty prevost bus extended warranty and warranty for lomousines RV WARRANTY RV EXTENDED WARRANTY R V Extended Warranty WARRANTY MONACO PREVOST BUS WARRANTY rvonline rvamerica rvtrader rvclassifieds rvtraderonline RV WARRANTY RV Extended Warranty Limousine rv extended Warranty motorhome warranty RV Warranty Truck Warranty Prevost Bus Extended Warranty ACC Warranty Services ACCWS rv extended warranty, rv warranty, extended rv warranty, rv service contract,MOTORHOME WARRANTY RV Extended Warranty RV Warranty Motorhome Auto Warranty Powersports Warranty Car Warranty Auto F&I Extended Warranty Newmar Coach Warranty Monaco Coach Warranty Country Coach RV Extended Warranty Prevost Bus R V Motorhome Dealers Warranty Monaco Coach Prevost Bus Warranty Newmar, reinsure,reinsurance,warranty reinsurance,captive reinsurance,rv warranty company, motor home warranty, rv repair, rv dealer, prevost bus warranty, limousine warranty Auto and RV OEM EXTENDED WARRANTY CONSULTING SERVICES Consultant for Auto and RV Manufacturer's Warranty Program Administration -RV TRADER WARRANTY USED RV FOR SALE ONLINE WARRANTY RV CLASSIFIEDS RV DEALER MONACO COUNTRY COACH NEWMAR PREVOST BUS WARRANTY RV Extended Warranty, Motor Home Extended RV Warranty, RV Service Plan, Extended RV Warranty Company RV EXTENDED WARRANTY MOTORHOME WARRANTY USED RV FOR SALE WARRANTY RV CLASSIFIEDS RV.NET EXTENDED WARRANTY DEALER MONACO COUNTRY COACH NEWMAR PREVOST BUS WARRANTY RV Extended Warranty, Motor Home Extended RV Warranty, RV Service Plan, Extended RV Warranty Company
KEYWORDS:
rv warranty RV Extended Warranty extended rv warranty limousine extended warranty company rv service contract rv dealers bus warranty prevost prevostcar - RV WARRANTY,EXTENDED WARRANTY,EXTENDED RV WARRANTY,WARRANTY RV, RV Extended Warranty, Limousine, rv extended, Warranty, motorhome warranty,coach,motorcoach,coaches,monaco coach,country coach,american coach, newmar,fleetwood, holiday rambler,bus conversion,prevostcar,lazy days, beaudry,star,national,for sale,used rv,motorhome,motor home, RV Warranty, Truck Warranty, Prevost Bus, Extended Warranty, ACC Warranty Services, ACCWS,extended warranty, RVUSA, rvtrader, rvonline, lazydays rv, rvs, rv, find your rv, rv dealers, rv rentals, rv parts, rv accessories, rv service, roadside assistance, class a, class c, class b, pop-up, campers, finance, classified, ads, insurance, fifth wheel, travel trailer, extended warranty, show dates, manufacturers, motorhomes, america, motor home, motorhome, travel trailers, recreational vehicle, motor coach, campgrounds, resort, tourism, camper, rv community, rv forum, recipes, clubs, rv tips, rv products, rv suppliers, rv magazine, rv links, new, used, pre-owned, consignment, members, search, seek, trailers, van camper, truck camper, toy hauler, bus conversion, diesel pusher ,used RV, RV extended warranty, RV, RV service plan,RV insurance, RV warranty, RV service contract, limousine warranty, limo, limousine,Prevost, r.v., motorhome, motor home, acc warranty services, extended warranty,truck warranty,engine warranty,auto warranty,service contract,service, acc warranty services,accws,accws.com,limousine,warranty,rv,bus, repair,manufacturer,prevost,service, contract,dealer,extended
ACC Motorhome Warranty RV Warranty Prevost Bus Conversion RV Hummer Limousine Extended Warranty Newmar Coach Monaco Coach Country Coach RV Extended Warranty Prevost Bus R V Motorhome Dealers Warranty Monaco Prevost Bus Warranty Newmar prevost rv, motorhome warranty, used rv warranty, rv classifieds, rvonline, rvamerica, rvtrader, newell motorhome, extended warranty, newmar warranty, lazydays, rvonline, newmar coach, monaco coach, prevost bus, prevost rv, rv dealers, rv extended warranty, rv warranty, extended rv warranty, rv service contract, rv warranty company, motor home warranty, rv repair, rv dealer, prevost bus warranty, limousine warranty
ACC Warranty Services Motorhome and RV Warranty. Extended Warranty for all Prevost Bus Conversions, RV's, Hummer Limousines, along with Extended Warranty for Newmar Coach, Monaco Coach, Country Coach. New RV Extended Warranty coverage for Prevost Bus RV and commercial seated coaches. Programs for Motorhome Dealers with Monaco warranty, Prevost Bus Warranty, and Newmar and Country Coach.